2020 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Auditor’s ReportReport of the Auditor General of Canada to the Governing Council of the Standards Council of Canada—Special Examination—2019
2020 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Governing Council of the Standards Council of Canada—Special Examination—2019
Independent Auditor’s Report
Table of Contents
- Introduction
- Findings, Recommendations, and Responses
- Conclusion
- Subsequent Events
- About the Audit
- List of Recommendations
- Exhibits:
- 1—Canada’s voluntary National Standards System involves the Corporation, standards development organizations, stakeholders, and international organizations
- 2—The Corporation’s financial results
- 3—Corporate governance—key findings and assessment
- 4—Strategic planning and performance measurement, monitoring, and reporting—key findings and assessment
- 5—Risk management—key findings and assessment
- 6—Operations management—key findings and assessment
This report reproduces the special examination report that the Office of the Auditor General of Canada issued to the Governing Council of the Standards Council of Canada on 27 March 2019. The Office has not performed follow-up audit work on the matters raised in this reproduced report.
Introduction
Background
1. Standards affect many aspects of our lives, including the food we eat, the cars we drive, and the electronic devices we use. According to the Standards Council of Canada, standards help ensure better, safer, and more efficient methods and products, and they are essential elements of technology, innovation, and trade. For example, a standard exists specifying performance requirements and test methods for helmets marketed, sold, and intended for ice hockey.
2. Standards are voluntary when organizations are not legally required to follow them for their products or services. However, organizations may decide to follow standards as a result of customer or industry demands. Standards are mandatory when they are enforced by laws or regulations—for example, for health or safety considerations.
3. The Corporation defines standardization as the development and application of standards, which includes the work of the committees that develop standards; the publications of standards by standards development organizations (SDOs); the application of standards by businesses, suppliers, and customers; the verification that products or services conform to applicable standards (conformity assessments); and the accreditation of organizations that provide conformity assessment services.
4. The Standards Council of Canada is a federal Crown corporation established under the Standards Council of Canada Act in 1970. It reports to Parliament through the Minister of Innovation, Science and Economic Development. According to the Act, the Corporation’s mandate is to promote efficient and effective voluntary standardization in Canada, where standardization is not expressly provided for by law and, in particular, to
- promote the participation of Canadians in voluntary standards activities;
- promote public-private sector cooperation in relation to voluntary standardization in Canada;
- coordinate and oversee the efforts of the persons and organizations involved in the National Standards System;
- foster quality, performance, and technological innovation in Canadian goods and services through standards-related activities; and
- develop standards-related strategies and long-term objectives.
5. The Corporation coordinates Canada’s voluntary National Standards System, which is a network of people and organizations involved in the development and use of voluntary standards (Exhibit 1). The Corporation does not develop national standards. It accredits organizations to develop standards, which become National Standards of Canada. There are 10 SDOs that the Corporation has accredited to develop standards in Canada: Air-Conditioning, Heating, and Refrigeration Institute; American Society for Testing and MaterialsASTM International; Bureau de normalisation du Québec; Canadian General Standards Board; Canadian Standards AssociationCSA Group; Health Standards Organization (HSO); International Association of Plumbing and Mechanical Officials; National Sanitation FoundationNSF International; Underwriters Laboratories of CanadaULC Standards; and Underwriters Laboratories IncorporatedInc. (UL).
Exhibit 1—Canada’s voluntary National Standards System involves the Corporation, standards development organizations, stakeholders, and international organizations
Exhibit 1—text version
This diagram identifies the main roles and interrelationships of groups involved in developing and using voluntary standards in Canada. The groups include
- the Standards Council of Canada;
- consumers and other stakeholders, including individuals and groups from industry, academia, and government;
- 10 standards development organizations (SDOs), 2 of which are self-declaring; and
- international organizations, such as the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO).
Together, these groups help develop the National Standards of Canada.
As coordinator of the National Standards System, the Standards Council of Canada
- consults with stakeholders and identifies needs for standards,
- accredits organizations to develop standards and coordinates the development of standards with the 10 SDOs,
- approves standards as National Standards of Canada, and
- provides members for technical committees of international organizations.
The 8 SDOs that are not self-declaring
- consult with stakeholders and identify needs for standards,
- develop voluntary standards, and
- send standards to the Standards Council of Canada for approval.
The 2 SDOs that are self-declaring
- consult with stakeholders and identify needs for standards,
- develop voluntary standards, and
- approve the standards as National Standards of Canada.
The self-declaring SDOs have met criteria established by the Corporation and have been authorized to approve standards without further approval from the Corporation.
International standards from international organizations may be adopted by the SDOs.
6. The Corporation also accredits organizations that conduct conformity assessments, a practice of determining whether a product, service, or system meets the requirements of a particular standard. As of 31 March 2018, there were 472 conformity assessment organizations. Of these, most (334) were laboratories, but there were also organizations that specialized in product certification, greenhouse gas validation and verification, and management systems certification, among others.
7. The Corporation also has a member program to facilitate Canada’s participation in standards development activities and to ensure that Canadian interests are considered in the development of international standards.
8. Headquartered in Ottawa, the Corporation had, in the 2017–18 fiscal year, approximately 109 full-time employees and $23.9 million of operating expenses, more than half of which was financed through funding from Parliament. The remaining portion was from revenue-generating activities such as accreditation service fees and royalties from the sale of standards (Exhibit 2).
Exhibit 2—The Corporation’s financial results
Fiscal year | Revenues ($ millions) | Expenses ($ millions) | Government funding ($ millions) | Surplus (deficit) ($ millions) | Accumulated surplus ($ millions) |
---|---|---|---|---|---|
2017–18 | 10.5 | 23.9 | 13.8 | 0.4 | 4.2 |
2016–17 | 9.8 | 21.8 | 10.5 | (1.5) | 3.8 |
2015–16 | 9.5 | 20.6 | 10.2 | (0.9) | 5.3 |
2014–15 | 8.6 | 20.4 | 12.9 | 1.1 | 6.2 |
Source: The Standards Council of Canada’s annual reports
Focus of the audit
9. Our objective for this audit was to determine whether the systems and practices we selected for examination at the Standards Council of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
10. In addition, section 139 of the Financial Administration Act requires that we state an opinion, with respect to the criteria established, on whether there was reasonable assurance that there were no significant deficiencies in the systems and practices examined. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.
11. Based on our assessment of risks, we selected systems and practices in the following areas:
- corporate management practices
- management of operations
The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.
12. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.
Findings, Recommendations, and Responses
Overall message
13. Overall, we found that the Corporation had good operations management practices, but improvements were needed in some areas. In corporate management practices, we found a significant deficiency in Governing Council appointments. This, combined with weaknesses in Governing Council independence and oversight, led us to conclude that there was a significant deficiency in corporate governance as a whole. We also found that improvements were needed in risk management.
14. Specifically, we were concerned about the number of vacancies and expired terms on the Governing Council as of August 2018. Two committees were at risk of losing quorum, which was due to circumstances outside of the Corporation’s control. We also found that members of the Governing Council and its committees failed to regularly disclose potential conflicts of interest, and when a potential conflict was identified, there was no documentation to confirm that it had been addressed. Further, we found that the Corporation did not provide the Governing Council with all the information it needed to oversee the Corporation effectively. Finally, we found that the Corporation could improve how it managed its risks by having clearer risk mitigation responses and by improving its risk monitoring and reporting.
15. On the operations side, we found that the Corporation had not systematically considered the potential impact of complaints against accredited organizations that may not have been directly related to the accredited activities. We also found no evidence that the Corporation reviewed the organizations’ publicizing of their accreditation. The Corporation had not defined in its procedures what constituted a “mature draft” when voluntary standards were published for public review. Finally, we found that under the new self-declaration model, the Corporation reviewed standards development projects on a sample basis and only after the standards development organizations had approved and published them, regardless of the risk.
Corporate management practices
16. The Corporation’s Governing Council has 13 members, 10 of whom are appointed by the Governor in CouncilDefinition i on the recommendation of the Minister of Innovation, Science and Economic Development. The appointment process is outside of the Corporation’s control.
17. The Governing Council is supported by the Audit Committee, the Corporate Governance Committee, and two advisory committees required by the Standards Council of Canada Act: the Provincial-Territorial Advisory Committee and the Standards Development Organizations Advisory Committee.
There was a significant deficiency in corporate governance, and improvements were needed in corporate management
18. There was a significant deficiency in Governing Council appointments, as delays in appointing members put two of its committees at risk of losing quorum and could have compromised its ability to provide oversight. There was also no ongoing disclosure of potential conflicts of interest by Governing Council members. Furthermore, improvements were needed in Governing Council oversight because the Governing Council did not receive all of the information it needed. Combined, the significant deficiency in Governing Council appointments and the weaknesses in Governing Council independence and oversight amounted to a significant deficiency in corporate governance as a whole. Finally, we found weaknesses in risk management.
19. See Subsequent Events at the end of the report for additional information.
20. Our analysis supporting this finding discusses the following topics:
- Corporate governance
- Strategic planning and performance measurement, monitoring, and reporting
- Risk management
21. Our recommendations in this area of examination appear at paragraphs 25, 28, 31, and 37.
22. Analysis. We found a significant deficiency in Governing Council appointments, and weaknesses in Governing Council independence and oversight. The Corporation had good corporate governance practices for providing strategic direction (Exhibit 3).
Exhibit 3—Corporate governance—key findings and assessment
Systems and practices | Criteria used | Key findings | Assessment against the criteria |
---|---|---|---|
Governing Council independence |
The Governing Council functioned independently. |
The Corporation established a process for Governing Council members to annually declare conflicts of interest. The Governing Council made decisions independently from management. Weaknesses The Governing Council and its committees had no ongoing disclosure of potential conflicts of interest. The Corporation did not document safeguards to address the potential conflicts of interest identified through the annual process. |
|
Providing strategic direction |
The Governing Council provided strategic direction. |
The Governing Council participated in setting strategic direction. |
|
Governing Council appointments and competencies |
The Governing Council collectively had capacity and competencies to fulfill its responsibilities. |
The Governing Council determined the skills and expertise it needed to be effective. It also communicated to the responsible Minister its needs for Governing Council member appointments. Significant deficiency There were several vacancies and expired terms on the Governing Council, and two of its committees were at risk of losing quorum. (For additional information, see Subsequent Events at the end of the report.) |
|
Governing Council oversight |
The Governing Council carried out its oversight role over the Corporation. |
The Governing Council had regular communications with its responsible Minister and stakeholders. The Governing Council made decisions, offered direction, and requested information. The Corporation conducted internal audits to meet the requirements of the Financial Administration Act and of its two international accreditation bodies (the International Laboratory Accreditation Cooperation and the International Accreditation Forum). Weakness The Governing Council did not receive all the information it needed to adequately oversee the Corporation. |
|
Legend—Assessment against the criteria Met the criteria Met the criteria, with improvement needed Did not meet the criteria |
23. Weaknesses—Governing Council independence. Procedures were in place for Governing Council members to declare potential conflicts of interest annually. However, there was no standing item on the agendas of the Governing Council and its supporting committees to disclose potential conflicts of interest on an ongoing basis. In addition, two Governing Council members had declared potential conflicts of interest through the annual process, but the Corporation had not documented what safeguards were implemented to address them.
24. These weaknesses matter because they exposed the Corporation to reputation risk. Also, there was a risk of real, potential, or apparent conflicts of interest when the Governing Council discussed topics such as decisions that might affect standards development organizations (SDOs). Ongoing disclosure of potential conflicts of interest and documented safeguards are important to establish credibility and to support sound governance and accountability.
25. Recommendation. The Corporation should ensure that members declare potential conflicts of interest on an ongoing basis. It should also document safeguards to address potential conflicts of interest.
The Corporation’s response. Agreed. Starting in April 2019, the Corporation will ensure that each meeting’s agenda will include a standing agenda item providing for an additional opportunity for any member to declare any new or arising conflicts, with the meeting minutes reflecting the necessary safeguards, in addition to members’ annual declaration, specifically if related to any of the items on the agenda. As well, the Corporation has added a section to the annual declaration form to further document responses to any declarations.
26. Significant deficiency—Governing Council appointments. There were 13 positions on the Governing Council, including 10 for members appointed by the Governor in Council. At the end of August 2018, 4 positions were vacant (1 since June 2017), and 3 positions were held by members after their terms had expired. The Audit Committee and the Corporate Governance Committee were at risk of losing quorum because of these vacancies. As permitted by the Financial Administration Act, members with expired terms agreed to continue their duties on the Governing Council until they were reappointed or replaced. The Governor in Council appoints members to these vacant and expired positions on the recommendation of the Minister of Innovation, Science and Economic Development. Therefore, these appointments were outside of the Corporation’s control. Despite the Governing Council’s proactive approach to communicating its needs to the Minister, there was a risk that 7 of the 13 positions on the Governing Council could become vacant. (For additional information, see Subsequent Events at the end of the report.)
27. This deficiency matters because when many Governing Council members are replaced at once or within a short time frame, continuity is affected and corporate memory is reduced. Having significant turnover also compromises the Governing Council’s ability to exercise effective oversight. Also, quorum is more difficult to achieve when the number of Governing Council members decreases.
28. Recommendation. The Corporation should continue to engage with the Minister of Innovation, Science and Economic Development on the need for sufficient and timely appointments to its Governing Council. It should also continue to provide the Minister with profiles of potential candidates and reinforce the need for staggered terms of office.
The Corporation’s response. Agreed. The Corporation will continue to engage with the Minister of Innovation, Science and Economic Development on the need for sufficient and timely appointments to its Governing Council. The Corporation will also continue to provide the Minister with skills matrices and profiles of potential candidates, and will reinforce the need for staggered terms of office. The October 2018 appointments will assist the Governing Council in addressing continuity concerns in the future. There were six appointments and two reappointments, and the terms were two years for one member, three years for two members, and four years for five members.
29. Weakness—Governing Council oversight. The Corporation did not provide the Governing Council with all the information it needed to oversee the Corporation effectively, including in the following areas:
- Risk mitigation measures and their implementation. The Governing Council did not receive complete information on the implementation of risk mitigation measures (see “Risk monitoring and reporting” in Exhibit 5).
- Laws, regulations, and ethical performance. The Governing Council did not receive confirmation that the Corporation had complied with regulatory requirements. It also did not receive confirmation that employees, management, and Governing Council members had provided all declarations of actual or potential conflicts of interest and of their adherence to the Corporation’s Code of Conduct.
- Information related to accredited organizations. The Governing Council did not receive information on complaints to the Corporation about accredited organizations, or information the Corporation had that could affect the reputation of accredited organizations. As a result, the Governing Council could not oversee whether the Corporation had taken action. The Governing Council was informed of complaints only when the Corporation received a request for an appeal on a denial, suspension, or withdrawal of an accreditation.
30. This weakness matters because the Governing Council is responsible for ensuring that the Corporation fulfills its mandate and manages its activities properly. Without complete information, the Governing Council could not fully perform its oversight role.
31. Recommendation. The Corporation should ensure that the Governing Council receives all of the information it needs to effectively oversee the Corporation.
The Corporation’s response. Agreed. Starting in December 2018, the Corporation is providing written quarterly updates on these topics to the Governing Council and its Audit Committee. Summaries are also being provided to the Governing Council about corporate risk mitigation measures, compliance with laws and regulations, and ethical performance. As well, the Governing Council and its two supporting committees are receiving additional information, in real time and at meetings, about complaints against accreditation organizations and other matters related to potential reputation risk. Management will also be providing the Governing Council with an annual attestation of compliance with all relevant laws and regulations. The Corporation’s documented compliance with laws and regulations will be finalized in the first quarter of the 2019–20 fiscal year.
32. Analysis. We found that the Corporation had good strategic planning, performance measurement, and performance monitoring and reporting (Exhibit 4).
Exhibit 4—Strategic planning and performance measurement, monitoring, and reporting—key findings and assessment
33. Analysis. There were weaknesses in risk mitigation, and in risk monitoring and reporting. The Corporation had in place good risk identification and assessment practices (Exhibit 5).
Exhibit 5—Risk management—key findings and assessment
34. Weaknesses—Risk mitigation, and risk monitoring and reporting. We found that many risk mitigation responses were not clearly defined, and that they lacked timelines. The following are examples:
- The mitigation responses for a risk on modernized business tools and processes were for the Corporation to continue to modernize its information management and technology and to update its quality management system process. We found that these responses were too general and lacked a timeline for implementation.
- As of 31 March 2018, the Corporation had invested close to $2 million in a new system for the provision of accreditation services. However, we found that no clear risk mitigation responses had been identified for this project. At the end of the period covered by the audit, this project was at risk of being cancelled. (For additional information, see Subsequent Events at the end of the report.)
35. The Corporation developed a corporate risk matrix that contained the risks it had identified through the corporate planning process. The matrix did not include mitigation responses, which made it difficult for senior management to monitor and report on the status of the responses and track progress on actions taken. We found that risk information that management provided to the Audit Committee was limited to the corporate risk matrix. This matrix was provided only annually and was limited to quarterly updates on key information management and technology projects, one of the risk areas the Corporation had identified. We also found that the Governing Council received limited information for most risk mitigation responses related to the 2017–18 fiscal year.
36. These weaknesses matter because timelines and clearly explained mitigation responses would allow the Corporation to better monitor the implementation of these responses. Furthermore, reporting on risk mitigation responses is necessary for the Governing Council to perform its oversight.
37. Recommendation. The Corporation should ensure that risk mitigation responses are specific, have a timeline for implementation, and are monitored. It should also provide regular information on the implementation of risk mitigation responses to the Governing Council.
The Corporation’s response. Agreed. Starting in December 2018, the Corporation is providing information regarding the implementation of risk mitigation responses, including quarterly risk updates, to its Audit Committee and Governing Council. This will also include more specific information about risk mitigation responses and timelines for implementing these activities to enhance monitoring.
Management of operations
38. The Corporation does not develop national standards; it accredits standards development organizations (SDOs) to do so. Once SDOs develop standards, they provide them to the Corporation for approval, except when an SDO has received a self-declaration status (see next paragraph). Once approved, the standards become National Standards of Canada. Canadian standards may be developed in Canada or adopted from international standards. During the 2017–18 fiscal year, the Corporation approved 285 National Standards of Canada. About 75% of these were adopted from international standards.
39. In the 2017–18 fiscal year, the Corporation introduced a new process for approving national standards. SDOs that qualify under criteria established by the Corporation can request a “self-declaration status,” which means that they can approve standards as National Standards of Canada without further approval from the Corporation. The Corporation requires SDOs to follow a quality control process to ensure that they have completed all required steps of standards development before they publish the standards. The Corporation verifies the self-declaring organizations’ standards development projects on a sample basis during the accreditation process. As of August 2018, two organizations had requested and received their self-declaration status.
40. In addition to accrediting SDOs, the Corporation accredits 472 conformity assessment organizations. The accreditation programs are based on internationally recognized guidelines and standards, and they include assessments of whether organizations are competent to carry out specific functions.
41. The Corporation had a member program consisting of 3,189 members as of March 2018. This program comprised a pool of experts that the Corporation could draw from to participate on more than 450 technical committees, mainly at the international level. The Corporation also established mirror committees, which are Canadian committees that facilitate Canada’s participation in standardization activities of the corresponding technical committee. For example, there were mirror committees on artificial intelligence, toy safety, and ice hockey equipment and facilities. Mirror committees help ensure that Canadian interests are considered in international standards development. Participating in international standardization helps facilitate international trade by ensuring that Canada’s products and services are compatible internationally.
The Corporation had good operations management practices, but improvements were needed in some areas
42. The Corporation had good operations management practices. However, we found that improvements were needed in its accreditation services, as well as in the procedures it established for developing Canadian standards.
43. Our analysis supporting this finding discusses the following topic:
44. Our recommendations in this area of examination appear at paragraphs 48, 51, and 54.
45. Analysis. The Corporation had good operations management practices, but improvements were needed in accreditation services and Canadian standards development (Exhibit 6).
Exhibit 6—Operations management—key findings and assessment
46. Weaknesses—Accreditation services. The procedures established by the Corporation required a review of complaints about accredited organizations that were directly related to the accredited activities. We found that the Corporation had not systematically considered complaints that may not have been directly related to the accredited activities of an organization for their potential impact on the accreditation, and on the Corporation as an accreditor. Moreover, while the Corporation was required to verify the organizations’ publicizing of their accreditation—for example, their use of the accreditation symbol—we found no evidence that the Corporation did this.
47. These weaknesses matter because the misuse of the accreditation symbol, as well as the number and nature of complaints about an accredited organization, could lead to a suspension or withdrawal of an accredited activity.
48. Recommendation. The Corporation should systematically consider the potential impact on the accreditation of an organization, and on the Corporation as an accreditor, of complaints that may not have been directly related to the accredited activities. It should also ensure that it verifies the organizations’ publicizing of their accreditation. These activities, and any resulting impact on the organizations’ accreditation, should be properly documented.
The Corporation’s response. Agreed. The Corporation will review its accreditation process to ensure that it routinely documents accredited organizations’ publicizing of their accreditation activities. The Corporation will also systematically consider the potential impact of relevant complaints against an accredited organization, in cases where there may be an impact related to accredited activities or reputation. The Corporation anticipates for this matter to be finalized in the second quarter of the 2019–20 fiscal year.
49. Weakness—Canadian standards development (“mature draft”). The Corporation required SDOs to put a new or revised standard through a public review of a minimum period of 60 days when a mature draft of the standard was available. We found that the Corporation had not defined what a “mature draft” meant, which made it difficult for it to assess compliance against this requirement.
50. This weakness matters because without a clear definition of a mature draft, there was a risk that the requirement could be interpreted in different ways by stakeholders and not be applied consistently. This is even more important when some SDOs approve standards as National Standards of Canada.
51. Recommendation. In its requirement for standards development organizations, the Corporation should include a definition of “mature draft.”
The Corporation’s response. Agreed. The Corporation is currently reviewing the Corporation’s document entitled Requirements & Guidance—Accreditation of Standards Development Organizations to address the concern raised with respect to the concept of “mature draft,” consistent with the consensus understanding that is already in place within Canada’s standardization network. The Corporation anticipates for this matter to be finalized in the second quarter of the 2019–20 fiscal year.
52. Weakness—Canadian standards development (self-declaring SDOs). The self-declaration status, introduced in the 2017–18 fiscal year, allowed some pre-qualified SDOs to develop and approve standards as National Standards of Canada. Under this model, and regardless of the risk, the Corporation reviewed standards development projects on a sample basis, and only after they were approved and published by the SDOs. This was done to ensure that SDOs complied with the Canadian standards development procedures established by the Corporation. This verification could take place as long as one year after a standard was approved, or not at all if the approved standard was not included in the sample. Nevertheless, we found that for one standard approved by a self-declaring SDO, the Corporation had to mitigate its risks by reviewing information before the SDO published the standard.
53. This weakness matters because there was a risk that an SDO would approve and publish a standard as a National Standard of Canada without meeting all the Corporation’s requirements, and that the Corporation would not find out, or would find out only after the standard had been published.
54. Recommendation. The Corporation should regularly review the self-declaration model to determine whether it requires any changes. It should also determine whether, based on risks, it should perform any oversight of standards approved by self-declaring standards development organizations before they are published as National Standards of Canada.
The Corporation’s response. Agreed. The Corporation is currently reviewing the criteria for its self-declaration model with a view to strengthening the criteria for which an SDO is granted self-declaration status. The revised criteria will provide enhanced rigour and oversight of the risk to the Corporation up front in the process, and include additional review of the types of standards that the SDO would be submitting in order to achieve self-declaration status. This would also enable the Corporation to conduct a special audit of an SDO, if warranted, in the case of any emerging risk being identified in relation to a standard being self-declared. The Corporation anticipates that this matter will be finalized in the second quarter of the 2019–20 fiscal year.
Conclusion
55. In our opinion, based on the criteria established, there was a significant deficiency in the Standards Council of Canada’s corporate governance, but there was reasonable assurance that there were no significant deficiencies in the other systems and practices that we examined. We concluded that except for this significant deficiency, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.
Subsequent Events
56. The Corporate Governance section of this report discusses the significant deficiency that we found in the Governing Council appointments. At the end of August 2018, 4 of the 10 Governing Council members’ terms were vacant, and 3 had expired. On 3 October 2018, the Governor in Council re-appointed 2 members and appointed 6 new members. Although these appointments are expected to contribute to the Corporation’s oversight, the turnover is significant in that 6 of the 13 members are new.
57. In December 2018, management decided to cancel the project under way for developing a new system for the provision of accreditation services.
About the Audit
This independent assurance report was prepared by the Office of the Auditor General of Canada on the Standards Council of Canada. Our responsibility was to express
- an opinion on whether there is reasonable assurance that during the period covered by the audit, there were no significant deficiencies in the Corporation’s systems and practices that we selected for examination; and
- a conclusion about whether the Corporation complied in all significant respects with the applicable criteria.
Under section 131 of the Financial Administration Act (FAA), the Standards Council of Canada is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that
- its assets are safeguarded and controlled;
- its financial, human, and physical resources are managed economically and efficiently; and
- its operations are carried out effectively.
In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.
All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.
The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
In conducting the audit work, we have complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.
In accordance with our regular audit process, we obtained the following from the Corporation:
- confirmation of management’s responsibility for the subject under audit;
- acknowledgement of the suitability of the criteria used in the audit;
- confirmation that all known information that has been requested, or that could affect the findings or audit conclusion, has been provided; and
- confirmation that the audit report is factually accurate.
Audit objective
The objective of this audit was to determine whether the systems and practices we selected for examination at the Standards Council of Canada were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively as required by section 138 of the Financial Administration Act.
Scope and approach
Our audit work examined the Standards Council of Canada. The scope of the special examination was based on our assessment of the risks that the Corporation faces that could affect its ability to meet the requirements set out by the Financial Administration Act.
In performing our work, we reviewed key documents related to the systems and practices selected for examination. We tested the systems and practices in place to obtain the required level of audit assurance. We also examined a selection of activities, such as accreditation, re-accreditation, annual surveillance, and approval of standards. Selection was based on assessed risk and professional judgment.
We also interviewed members of the Governing Council, senior management, and other employees of the Corporation. We observed some meetings of the Governing Council and its committees, and strategic planning sessions held with management and Governing Council members.
The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.
In carrying out the special examination, we did not rely on any internal audits.
Sources of criteria
The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.
Corporate governance
Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
20 Questions Directors Should Ask about Risk, second edition, Canadian Institute of Chartered Accountants, 2006
Performance Management Program for Chief Executive Officers of Crown Corporations—Guidelines, Privy Council Office, 2016
Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014
Strategic planning and performance measurement, monitoring, and reporting
Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015
20 Questions Directors Should Ask about Risk, second edition, Canadian Institute of Chartered Accountants, 2006
Risk management
20 Questions Directors Should Ask about Risk, second edition, Canadian Institute of Chartered Accountants, 2006
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Department of Finance and Treasury Board, 1996
Operations management
Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013
Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996
Plan-Do-Check-Act management model adapted from the Deming Cycle
Standards Council of Canada Act
A Guide to the Project Management Body of Knowledge (PMBOK® Guide), fourth edition, Project Management Institute IncorporatedInc., 2008
Control Objectives for Information and related TechnologyCOBIT 5 Framework—APO05 (Manage Portfolio), BAI01 (Manage Programmes and Projects), EDM02 (Ensure Benefits Delivery), Information Systems Audit and Control AssociationISACA
Period covered by the audit
The special examination covered the period between 1 September 2017 and 31 August 2018. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of this period. We also noted subsequent events on 3 October 2018 and in December 2018.
Date of the report
We obtained sufficient and appropriate audit evidence on which to base our conclusion on 11 February 2019, in Ottawa, Canada.
Audit team
Principal: Nathalie Chartrand
Director: Josée Maltais
Fera Awada
Charles Gay
Jenna Laframboise
List of Recommendations
The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.
Corporate management practices
Recommendation | Response |
---|---|
25. The Corporation should ensure that members declare potential conflicts of interest on an ongoing basis. It should also document safeguards to address potential conflicts of interest. (23 to 24) |
The Corporation’s response. Agreed. Starting in April 2019, the Corporation will ensure that each meeting’s agenda will include a standing agenda item providing for an additional opportunity for any member to declare any new or arising conflicts, with the meeting minutes reflecting the necessary safeguards, in addition to members’ annual declaration, specifically if related to any of the items on the agenda. As well, the Corporation has added a section to the annual declaration form to further document responses to any declarations. |
28. The Corporation should continue to engage with the Minister of Innovation, Science and Economic Development on the need for sufficient and timely appointments to its Governing Council. It should also continue to provide the Minister with profiles of potential candidates and reinforce the need for staggered terms of office. (26 to 27) |
The Corporation’s response. Agreed. The Corporation will continue to engage with the Minister of Innovation, Science and Economic Development on the need for sufficient and timely appointments to its Governing Council. The Corporation will also continue to provide the Minister with skills matrices and profiles of potential candidates, and will reinforce the need for staggered terms of office. The October 2018 appointments will assist the Governing Council in addressing continuity concerns in the future. There were six appointments and two reappointments, and the terms were two years for one member, three years for two members, and four years for five members. |
31. The Corporation should ensure that the Governing Council receives all of the information it needs to effectively oversee the Corporation. (29 to 30) |
The Corporation’s response. Agreed. Starting in December 2018, the Corporation is providing written quarterly updates on these topics to the Governing Council and its Audit Committee. Summaries are also being provided to the Governing Council about corporate risk mitigation measures, compliance with laws and regulations, and ethical performance. As well, the Governing Council and its two supporting committees are receiving additional information, in real time and at meetings, about complaints against accreditation organizations and other matters related to potential reputation risk. Management will also be providing the Governing Council with an annual attestation of compliance with all relevant laws and regulations. The Corporation’s documented compliance with laws and regulations will be finalized in the first quarter of the 2019–20 fiscal year. |
37. The Corporation should ensure that risk mitigation responses are specific, have a timeline for implementation, and are monitored. It should also provide regular information on the implementation of risk mitigation responses to the Governing Council. (34 to 36) |
The Corporation’s response. Agreed. Starting in December 2018, the Corporation is providing information regarding the implementation of risk mitigation responses, including quarterly risk updates, to its Audit Committee and Governing Council. This will also include more specific information about risk mitigation responses and timelines for implementing these activities to enhance monitoring. |
Management of operations
Recommendation | Response |
---|---|
48. The Corporation should systematically consider the potential impact on the accreditation of an organization, and on the Corporation as an accreditor, of complaints that may not have been directly related to the accredited activities. It should also ensure that it verifies the organizations’ publicizing of their accreditation. These activities, and any resulting impact on the organizations’ accreditation, should be properly documented. (46 to 47) |
The Corporation’s response. Agreed. The Corporation will review its accreditation process to ensure that it routinely documents accredited organizations’ publicizing of their accreditation activities. The Corporation will also systematically consider the potential impact of relevant complaints against an accredited organization, in cases where there may be an impact related to accredited activities or reputation. The Corporation anticipates for this matter to be finalized in the second quarter of the 2019–20 fiscal year. |
51. In its requirement for standards development organizations, the Corporation should include a definition of “mature draft.” (49 to 50) |
The Corporation’s response. Agreed. The Corporation is currently reviewing the Corporation’s document entitled Requirements & Guidance—Accreditation of Standards Development Organizations to address the concern raised with respect to the concept of “mature draft,” consistent with the consensus understanding that is already in place within Canada’s standardization network. The Corporation anticipates for this matter to be finalized in the second quarter of the 2019–20 fiscal year. |
54. The Corporation should regularly review the self-declaration model to determine whether it requires any changes. It should also determine whether, based on risks, it should perform any oversight of standards approved by self-declaring standards development organizations before they are published as National Standards of Canada. (52 to 53) |
The Corporation’s response. Agreed. The Corporation is currently reviewing the criteria for its self-declaration model with a view to strengthening the criteria for which an SDO is granted self-declaration status. The revised criteria will provide enhanced rigour and oversight of the risk to the Corporation up front in the process, and include additional review of the types of standards that the SDO would be submitting in order to achieve self-declaration status. This would also enable the Corporation to conduct a special audit of an SDO, if warranted, in the case of any emerging risk being identified in relation to a standard being self-declared. The Corporation anticipates that this matter will be finalized in the second quarter of the 2019–20 fiscal year. |